Skip to content

Commit

Permalink
add loopback mappings (#134) (#137)
Browse files Browse the repository at this point in the history 
Signed-off-by: Grant Haywood <grant@phaseshift.studio>
  • Loading branch information
@opensearch-trigger-bot
opensearch-trigger-bot[bot] committed Nov 9, 2022
1 parent 2f9a513 commit 1e1cb9b
Show file tree
Hide file tree
Showing 5 changed files with 313 additions and 20 deletions.
42 changes: 36 additions & 6 deletions src/main/resources/OSMapping/linux/fieldmappings.yml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,37 @@
# this file provides pre-defined mappings for Sigma fields defined for all Sigma rules under linux log group to their corresponding ECS Fields.
fieldmappings:
EventID: event_uid
HiveName: unmapped.HiveName
fieldB: mappedB
fieldA1: mappedA

CommandLine: process-command_line
CurrentDirectory: process-working_directory
DestinationHostname: DestinationHostname
DestinationIp: DestinationIp
Image: process-executable
LogonId: process-user-id
ParentCommandLine: process-parent-command_line
ParentImage: process-parent-executable
TargetFilename: TargetFilename
USER: USER
User: process-user-name
a0: auditd-log-a0
a1: auditd-log-a1
a2: auditd-log-a2
a3: auditd-log-a3
a4: auditd-log-a4
a5: auditd-log-a5
a6: auditd-log-a6
a7: auditd-log-a7
comm: auditd-log-comm
cwd: cwd
dd: dd
exe: auditd-log-exe
execve: execve
filter: filter
key: key
name: name
pam_message: pam_message
pam_rhost: pam_rhost
pam_user: pam_user
proctitle: proctitle
syscall: syscall
truncate: truncate
type: type
uid: uid
unit: unit
148 changes: 148 additions & 0 deletions src/main/resources/OSMapping/linux/mappings.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,148 @@
{
"properties": {
"type": {
"type": "alias",
"path": "type"
},
"name": {
"type": "alias",
"path": "name"
},
"auditd-log-a0": {
"type": "alias",
"path": "auditd-log-a0"
},
"auditd-log-a1": {
"type": "alias",
"path": "auditd-log-a1"
},
"auditd-log-a2": {
"type": "alias",
"path": "auditd-log-a2"
},
"auditd-log-a3": {
"type": "alias",
"path": "auditd-log-a3"
},
"auditd-log-a4": {
"type": "alias",
"path": "auditd-log-a4"
},
"auditd-log-a5": {
"type": "alias",
"path": "auditd-log-a5"
},
"auditd-log-a6": {
"type": "alias",
"path": "auditd-log-a6"
},
"auditd-log-a7": {
"type": "alias",
"path": "auditd-log-a7"
},
"execve": {
"type": "alias",
"path": "execve"
},
"truncate": {
"type": "alias",
"path": "truncate"
},
"dd": {
"type": "alias",
"path": "dd"
},
"filter": {
"type": "alias",
"path": "filter"
},
"auditd-log-exe": {
"type": "alias",
"path": "auditd-log-exe"
},
"auditd-log-comm": {
"type": "alias",
"path": "auditd-log-comm"
},
"proctitle": {
"type": "alias",
"path": "proctitle"
},
"unit": {
"type": "alias",
"path": "unit"
},
"key": {
"type": "alias",
"path": "key"
},
"syscall": {
"type": "alias",
"path": "syscall"
},
"uid": {
"type": "alias",
"path": "uid"
},
"cwd": {
"type": "alias",
"path": "cwd"
},
"USER": {
"type": "alias",
"path": "USER"
},
"TargetFilename": {
"type": "alias",
"path": "TargetFilename"
},
"Image": {
"type": "alias",
"path": "process-executable"
},
"DestinationIp": {
"type": "alias",
"path": "DestinationIp"
},
"DestinationHostname": {
"type": "alias",
"path": "DestinationHostname"
},
"pam_message": {
"type": "alias",
"path": "pam_message"
},
"pam_rhost": {
"type": "alias",
"path": "pam_rhost"
},
"pam_user": {
"type": "alias",
"path": "pam_user"
},
"CommandLine": {
"type": "alias",
"path": "process-command_line"
},
"process-parent-executable": {
"type": "alias",
"path": "process-parent-executable"
},
"process-user-id": {
"type": "alias",
"path": "process-user-id"
},
"process-user-name": {
"type": "alias",
"path": "process-user-name"
},
"process-working_directory": {
"type": "alias",
"path": "process-working_directory"
},
"process-parent-command_line": {
"type": "alias",
"path": "process-parent-command_line"
}
}
}
31 changes: 25 additions & 6 deletions src/main/resources/OSMapping/network/fieldmappings.yml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,26 @@
# this file provides pre-defined mappings for Sigma fields defined for all Sigma rules under network log group to their corresponding ECS Fields.

fieldmappings:
EventID: event_uid
HiveName: unmapped.HiveName
fieldB: mappedB
fieldA1: mappedA
Z: Z
action: action
answers: zeek-dns-answers
c-uri: c-uri
c-useragent: c-useragent
certificate-serial: zeek-x509-certificate-serial
cipher: zeek-kerberos-cipher
client_header_names: zeek-http-client_header_names
dst_ip: netflow-destination_ipv4_address
dst_port: netflow-destination_transport_port
endpoint: zeek-dce_rpc-endpoint
id-orig_h: id-orig_h
id-resp_p: id-resp_p
method: method
name: name
operation: zeek-dce_rpc-operation
path: path
qtype: zeek-dns-qtype_name
query: zeek-dns-query
request_body_len: request_body_len
request_type: zeek-kerberos-request_type
resp_mime_types: zeek-http-resp_mime_types
src_port: netflow-source_transport_port
status_code: status_code
user_agent: user_agent
100 changes: 98 additions & 2 deletions src/main/resources/OSMapping/network/mappings.json
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,104 @@
{
"properties": {
"source_ip": {
"dst_port": {
"type": "alias",
"path": "src_ip"
"path": "dst_port"
},
"src_port": {
"type": "alias",
"path": "src_port"
},
"action": {
"type": "alias",
"path": "action"
},
"dst_ip": {
"type": "alias",
"path": "dst_ip"
},
"operation": {
"type": "alias",
"path": "operation"
},
"endpoint": {
"type": "alias",
"path": "endpoint"
},
"path": {
"type": "alias",
"path": "path"
},
"certificate-serial": {
"type": "alias",
"path": "certificate-serial"
},
"query": {
"type": "alias",
"path": "query"
},
"Z": {
"type": "alias",
"path": "Z"
},
"qtype": {
"type": "alias",
"path": "qtype"
},
"answers": {
"type": "alias",
"path": "answers"
},
"id-resp_p": {
"type": "alias",
"path": "id-resp_p"
},
"resp_mime_types": {
"type": "alias",
"path": "resp_mime_types"
},
"c-uri": {
"type": "alias",
"path": "c-uri"
},
"c-useragent": {
"type": "alias",
"path": "c-useragent"
},
"status_code": {
"type": "alias",
"path": "status_code"
},
"client_header_names": {
"type": "alias",
"path": "client_header_names"
},
"request_body_len": {
"type": "alias",
"path": "request_body_len"
},
"user_agent": {
"type": "alias",
"path": "user_agent"
},
"method": {
"type": "alias",
"path": "method"
},
"id-orig_h": {
"type": "alias",
"path": "id-orig_h"
},
"name": {
"type": "alias",
"path": "name"
},
"zeek-kerberos-cipher": {
"type": "alias",
"path": "zeek-kerberos-cipher"
},
"zeek-kerberos-request_type": {
"type": "alias",
"path": "zeek-kerberos-request_type"
}
}
}
12 changes: 6 additions & 6 deletions src/main/resources/OSMapping/windows/mappings.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,27 +2,27 @@
"properties": {
"windows-event_data-CommandLine": {
"type": "alias",
"path": "CommandLine"
"path": "windows-event_data-CommandLine"
},
"event_uid": {
"type": "alias",
"path": "EventID"
"path": "event_uid"
},
"windows-hostname": {
"type": "alias",
"path": "HostName"
"path": "windows-hostname"
},
"windows-message": {
"type": "alias",
"path": "Message"
"path": "windows-message"
},
"windows-provider-name": {
"type": "alias",
"path": "Provider_Name"
"path": "windows-provider-name"
},
"windows-servicename": {
"type": "alias",
"path": "ServiceName"
"path": "windows-servicename"
}
}
}

0 comments on commit 1e1cb9b

Please sign in to comment.